NIS2 for French SMEs in 2026: scope, duties, fines

Quick answer. Directive (EU) 2022/2555, known as NIS2, was due to be transposed into French law by 17 October 2024. The French "cyber resilience bill" was adopted by the Senate on 12 March 2025 and unanimously approved in the National Assembly's special committee in September 2025; floor debate is scheduled for summer 2026. The French scope covers 15,000 to 18,000 entities split into essential entities (EE) and important entities (EI), with administrative fines capped at EUR 10m or 2 % of global annual turnover for EE and EUR 7m or 1.4 % for EI.

NIS2 is no longer an IT-only file. By May 2026, almost every French SME and mid-cap has already received, within the past twelve months, either a cyber questionnaire from a large customer, an attestation request from an insurer, or a notification following a targeted phishing attempt. Directive (EU) 2022/2555 of 14 December 2022, published in the Official Journal of the European Union on 27 December 2022, significantly broadens the scope compared to NIS1: France moves from roughly 500 critical operators to more than 15,000 entities, according to estimates in the Senate's legislative file.

For management, the question is no longer whether cybersecurity matters, but how to answer three concrete points: are we directly in NIS2 scope, must we nevertheless prove a minimum maturity because large customers demand it, and how do we fund this without straining the 2026-2027 cash plan?

At Hayot Expertise we currently support several Paris SMEs facing complex contractual chains: a SaaS scale-up whose software is used by a regulated bank was recently asked to deliver a cyber audit within eight weeks, even though it is not itself in NIS2 scope. That kind of situation makes NIS2 knowledge necessary even when an entity is out of direct scope. Our articles on compliance audits 2026: method and deliverables and organisational audit firms are useful complementary reads.

NIS2 required Member States to transpose by 17 October 2024. France filed the bill on the resilience of critical infrastructures and the strengthening of cybersecurity — the "cyber resilience bill" — before the Senate in October 2024. The text transposes three European instruments at once: NIS2, the DORA regulation (digital operational resilience for financial services) and the CER directive (resilience of critical entities).

In parallel, ANSSI has published the Référentiel Cyber France (ReCyF) since 17 March 2026. The reference is not mandatory by default, but it anticipates the measures that future in-scope entities will likely be expected to implement. The MonEspaceNIS2 FAQ and online eligibility simulator already allow companies to assess their situation.

Note. The European Commission has formally notified France for failure to transpose NIS2 on time. SMEs that bet on indefinite delay face the risk of a compressed agenda: if the bill is enacted in summer 2026, the first obligations could apply as early as autumn 2026 or early 2027 depending on implementing decrees.

NIS2 classifies entities by the criticality of the sector and the size of the organisation. The directive lists sectors in Annex I (highly critical sectors) and Annex II (other critical sectors).

Highly critical sectors (Annex I)#

Energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructures (cloud, datacentres, DNS, TLD registries), ICT services management, public administration, space.

Other critical sectors (Annex II)#

Postal and courier services, waste management, manufacturing and distribution of chemicals, food production and distribution, manufacturing of medical devices, of computer/electronic/optical products, of electrical equipment, of vehicles, digital providers (online marketplaces, search engines, social networking platforms), research.

Size thresholds (general rule)#

An entity in a highly critical sector exceeding EE thresholds is automatically classified as EE. An entity in a critical sector that meets EI thresholds is classified as EI. Thresholds are assessed at entity level and, where relevant, at group level depending on the economic structure. Special cases exist (sole providers of a service, entities identified by national authorities, public administrations): a sector-by-sector analysis is essential. The MonEspaceNIS2 simulator is the first sorting step.

The directive imposes governance obligations and minimum technical measures, listed primarily in Article 21. Requirements are proportionate: stricter for EE, lighter for EI, with common fundamentals.

Governance and director responsibility#

Management bodies (in French corporate law: president, CEO, manager, board) approve cyber risk management measures, supervise their implementation and can be held personally liable in case of breach. Cyber training is required for directors and recommended for staff. This is a major shift compared to NIS1: cybersecurity leaves the sole perimeter of the IT department.

Minimum technical and organisational measures#

Article 21 of the directive requires at minimum:

1. A risk analysis and information system security policy.
2. Incident handling (detection, qualification, response, lessons learned).
3. Business continuity, including backup management and disaster recovery.
4. Supply chain security, including critical providers and subcontractors.
5. Security of network and information systems acquisition, development and maintenance (vulnerability handling, responsible disclosure).
6. Policies to assess the effectiveness of cyber risk management measures.
7. Basic cyber hygiene practices and cybersecurity training.
8. Policies on the use of cryptography and, where appropriate, encryption.
9. Human resources security, access control and asset management.
10. The use of multi-factor authentication (MFA) or continuous authentication, secured communications and emergency communication systems.

Incident notification: the 24h / 72h / 1 month rule#

Article 23 imposes a graduated notification to the national CSIRT (in France, CERT-FR within ANSSI):

An incident qualifies as "significant" when it has caused or is likely to cause severe operational disruption or financial losses for the entity, or when it has affected or is likely to affect other natural or legal persons (customers, partners).

NIS2 sets up a sanctions regime inspired by GDPR, with higher caps and personal liability of directors. French transposition may increase these caps but cannot lower them.

The competent national authority is ANSSI, with inspection, audit and order-to-comply powers. The severity of the breach, cooperation of the entity, extent of harm and mitigating factors all influence the decision. In practice, public naming of a sanction is the reputational risk most feared by general management.

An SME can survive a few hours without a marketing website. It survives much less comfortably without payroll, banking, invoicing, ERP, point of sale, customer files or accounting evidence. Cybersecurity is therefore as much a CFO topic and a business continuity topic as it is a CIO topic.

The right question is not "where are the servers?" but "how many days can the business operate without invoicing, paying and filing?". This cash-flow lens aligns with the principles of our SME financial dashboards and KPIs for 2026 and connects with the French e-invoicing 2026 guide for SMEs, which compounds the dependency on IT systems.

NIS2 covers entities regardless of size in several cases:

• Sole providers of an essential service in a Member State.
• Providers whose service interruption would significantly impact public safety, security or health.
• Providers designated as critical by national authorities.
• Central and regional public administrations (the French Resilience bill extends the scope to roughly 1,500 local authorities and entities under their supervision).
• DNS service providers, top-level domain registries, qualified trust service providers.

More importantly, thousands of SMEs out of direct scope will be approached by their large customers. A bank, hospital, transport operator or in-scope public administration will require that its critical subcontractors meet a baseline of cyber controls. Requirements will typically be formalised in general purchasing conditions, supplier questionnaires and contractual clauses. This "cascade" effect is what will make NIS2 unavoidable in 2026-2027 for many indirectly affected SMEs.

SaaS software publishers are most exposed: see our tech and startup sector page, which details large-customer expectations around application security and hosting.

NIS2 can feel overwhelming at first read. In practice, an organised SME can secure the essentials in six months on a budget of EUR 15,000 to 80,000 depending on size and initial maturity. Below is the framework we apply at Hayot Expertise for our SME and mid-cap clients.

1. Month 1 — Diagnosis and qualification. MonEspaceNIS2 eligibility test, mapping of critical assets (applications, data, providers), review of current customer contracts to identify embedded cyber requirements. Deliverable: scoping note signed off by management.
2. Month 2 — Governance. Appoint a cyber lead (internal or external), train directors, update delegation of powers, place cyber risk on the management committee agenda. Deliverable: cyber charter and committee minutes.
3. Month 3 — Technical quick wins. Roll out MFA (banking, email, payroll, accounting, ERP), review admin accounts, basic network segmentation, antivirus/EDR plan. Deliverable: access register and remediation plan.
4. Month 4 — Backups and continuity. Backup inventory, actual restoration test, business continuity plan (BCP) targeting payroll, invoicing and banking. Deliverable: restoration test report.
5. Month 5 — Suppliers and subcontractors. Map critical providers, update contractual clauses (reversibility, security, incident notification), supplier questionnaires. Deliverable: supplier register with criticality levels.
6. Month 6 — Incident plan and drill. Incident procedure (who to call, what to disconnect, what to report), tabletop exercise such as "ransomware on a Friday evening", cyber insurance review, presentation to the audit committee. Deliverable: tested incident plan and exercise debrief.

This roadmap leverages our digital transformation of the SME finance function, our outsourced CFO service for startups and SMEs in Paris and our Paris 8 chartered accounting services. For related topics, see our articles on DPO requirements 2026, EU AI Act for SMEs in 2026 and cyber insurance for SMEs: accounting and tax framing. A Power BI dashboard for cyber monitoring helps industrialise tracking (access, incidents, action plans).

• Do not confuse NIS1 (repealed on 18 October 2024) with NIS2: the legal basis has changed.
• Do not wait for enactment of the French Resilience bill: the 2026-2027 agenda will be tight.
• Check cyber insurance clauses: recent contracts often exclude ransomware not reported to ANSSI or systems lacking MFA.
• Untested backups give false comfort; only a documented restoration test counts as evidence.
• CEO fraud and payment fraud remain the leading financial impact vectors — often outside NIS2 strictly but critical for the CFO.
• Document even the "out of scope" conclusion: a dated and signed qualification letter from the director provides protection in case of a control or a customer request.

Hayot Expertise advice. Do not treat NIS2 as a one-shot compliance exercise. Build a credible cyber governance first (named lead, regular committee, director training), then iterate on technical measures. Most sanctions issued in Europe since NIS2 entered into force have addressed governance gaps more than isolated technical failures. Document everything: documentation protects you as much as the tools deployed.

• NIS2 (EU directive 2022/2555) expands the cyber perimeter to 15,000-18,000 French entities.
• Two categories: essential entities (EE, highly critical sectors, > 250 staff or > EUR 50m) and important entities (EI, 50-250 staff or EUR 10-50m).
• Mandatory incident notification to ANSSI/CERT-FR within 24h (early warning), 72h (notification) and 1 month (final report).
• Fines capped at EUR 10m or 2 % of global turnover for EE, EUR 7m or 1.4 % for EI, with personal director liability.
• The French Resilience bill is expected to be enacted in summer 2026, with first obligations applying late 2026 / early 2027.
• Even when not directly in scope, many SMEs will need to prove minimum cyber maturity to their large customers.